[cups.bugs] [CRIT] STR #2790: buffer overflows in filters
Thomas Pollet
thomas.pollet at gmail.com
Tue Apr 8 11:21:40 PDT 2008
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
1)filter/image-png.c
img->xsize * img->ysize may overflow (CUPS_IMAGE_MAX_WIDTH and
CUPS_IMAGE_MAX_HEIGHT are too big for multiplication).
malloc(img->xsize * img->ysize * 3) can result in a buffer that's too
small. Also, the return codes of alot of the mallocs aren't checked, when
a NULL pointer is passed to png_read_row, it may be possible to corrupt
memory this way as well. I have a .png that does this.
2)filter/image-zoom.c
there are a couple of mallocs in this file that look equally dangerous:
malloc(z->xsize * z->depth)
I haven't crashed it but by looking at the code it seems there is no check
for the multiplication to overflow (the checks for MAX_WIDTH and MAX_HEIGHT
are insufficient when width and height are used in multiplication)
If you need more information, please let me know.
Regards,
Thomas Pollet
Link: http://www.cups.org/str.php?L2790
Version: 1.3-current
More information about the cups
mailing list